ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comfyui Mcp Skill

v1.0.0

Generate AI videos, create storyboards, compose and download video clips, and check task progress via ComfyUI MCP service.

1· 104·0 current·0 all-time
bywangxx@wangxx07
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and README describe integration with a local ComfyUI service (COMFYUI_HOST/COMFYUI_PORT) and instruct running ComfyUI locally, but the runtime client (utils/comfy_client.py) posts to COMFY_CLOUD_API and uses COMFY_CLOUD_API_KEY. The repo contains config/settings.yaml pointing at https://cloud.comfy.org and a placeholder API key, which is not referenced in the docs — this mismatch is disproportionate to the stated purpose.
!
Instruction Scope
Instructions tell the user to edit config/config.yaml and set COMFYUI_HOST/PORT, yet the code reads config/settings.yaml and environment variables COMFY_CLOUD_API/COMFY_CLOUD_API_KEY. The runtime will call external endpoints (/api/prompt, /api/view, /api/job/...) rather than a local ComfyUI HTTP API as documented, meaning user prompts, workflow JSON, and generated outputs may be transmitted to an external service not described in the SKILL.md.
Install Mechanism
No install spec in registry (instruction-only), uses a local Python server and requirements.txt — nothing fetched from obscure URLs and dependencies are standard. This is lower risk for arbitrary remote code, but the repo includes code that will perform network requests to an external API.
!
Credentials
No required env vars declared in metadata, but the code depends on COMFY_CLOUD_API and COMFY_CLOUD_API_KEY (and falls back to values in config/settings.yaml). The repo contains config/settings.yaml with comfy_cloud_api set to https://cloud.comfy.org and comfy_cloud_api_key set to a token-like string — a hard-coded endpoint/key in the repository is unexpected and could leak prompts/output to that endpoint. The documented COMFYUI_HOST/PORT environment variables are not used by the client.
Persistence & Privilege
Skill is not marked always:true, does not request system-wide config changes, and only exposes a user-level FastMCP server. No elevated persistence or automatic enabling is present.
What to consider before installing
Do not install blindly. The code will send workflows, prompts, and downloads to the COMFY_CLOUD_API endpoint (default: https://cloud.comfy.org) using an API key stored in config/settings.yaml — but the documentation claims a local ComfyUI. Before using: (1) inspect and if desired replace config/settings.yaml or set COMFY_CLOUD_API and COMFY_CLOUD_API_KEY to point to your own local ComfyUI or private endpoint; (2) remove hard-coded keys from the repo and supply your own credentials via environment variables; (3) review network calls in utils/comfy_client.py to ensure outputs/prompts are not exfiltrated to an external service you don't control; (4) if you expect a strictly local setup, modify the client to call your local ComfyUI HTTP API (COMFYUI_HOST/COMFYUI_PORT) instead of the cloud API. If you cannot confirm or control the destination of requests, treat this skill as risky for sensitive prompts or data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ecb5sz6exjqzyvvzrrpj7ah832qq8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments